recent posts

Social Networking Accounts Prized By Cybercrooks
RedBox Warns of Credit Card Skimmers
Opera Updates and a Black Tuesday Preview
Beware Targeted Data-Stealing Tax Scam
Consumers Report $239 Million Lost To Cyber Fraud In '07

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

$10K Prize Nets Apple Vulnerability

It is often said that hackers eschew exploiting security holes in Apple's Mac OS X operating system in favor of researching flaws in Microsoft Windows computers due to the fact that most of the world runs Microsoft machines. Thus, finding unpatched security flaws in Apple's software simply doesn't offer as much return on investment for attackers.

But what if that investment was limited to 72 hours and the return was more than guaranteed?

Spurred by a $10,000 purse and the prize of a brand new Apple MacBook Pro computer, security researchers at the annual CanSecWest hacker conference in Vancouver, British Columbia, reportedly found a previously undocumented security hole in a fully patched OS X software package running on a MacBook Pro.

CanSecWest founder Dragos Ruiu had sought to liven up the conference with a hacking challenge for attendees. Organizers set up two MacBook Pro computers on the conference network and challenged attendees to find a way to remotely compromise the machines. One machine would be given to the first person to compromise it with an exploit that allowed the attacker to assume the same level of access on the computer as the default user account. The second MacBook would only be awarded to a hacker who could find a way to seize complete control over the machine by finding a security flaw that would allow "root" access on the MacBook.

The challenge initially failed to interest many attendees, most of whom were apparently unaware that Apple had just shipped patches to plug some 25 separate security vulnerabilities. By the time a group of researchers decided to try and exploit the vulnerabilities, the conference staff had patched the systems, according to Rob Lemos, a reporter for SecurityFocus.com, a publication owned by security giant Symantec Corp.

With few takers on the first day of the conference, security vendor TippingPoint sought to liven things up a bit by offering a $10,000 bonus to the first attendee to successfully hijack the machines. According to the CanSecWest blog, one attendee rose to the challenge, finding an unpatched bug in Safari, Apple's default Web browser. Conference organizers said the bug can be triggered by merely convincing a Mac user to visit a specially crafted Web page.

From the CanSec site: "At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks. Technical details will be forthcoming as the winner works out the release."

Details of the vulnerability are sketchy, but the folks over at the Matasano Security blog appear to have a tiny bit more information, such as that the bug was found by Dino Dai Zovi, a security researcher who has previously found and reported flaws in Apple's software.

By Brian Krebs |  April 21, 2007; 9:15 AM ET From the Bunker
Previous: Rogue Networks Stir Trouble for Firms of All Sizes | Next: Virus Writers Taint Google Ad Links

Comments

Please email us to report offensive comments.



Good write up. It should be noted however that the original contest was also too difficult, so in addition to the $10K bonus, they relaxed the rules to allow hacking via a web site that the target machine would visit in Safari. The original contest goal (attacking a remote Mac) is still up for grabs.

Posted by: Yuri | April 21, 2007 10:22 AM

Dino Dai Zovi works at Matasano.

Posted by: Kei | April 21, 2007 10:53 AM

liven up with $10,000 ?????

It was part of the prize from the very beginning.

Posted by: Max | April 21, 2007 2:29 PM

It is nothing more nothing less than a MOAB kind of exploit.

BTW, if you use Firefox, the exploit does not work. it is not Mac OS X to have a security problem: during the first day nobody succeeded to hack the Mac remotely. It is a Safari vulnerability.

Still, nothing to see: MOAB in January showed some 10 or so of these vulnerabilities involving Safari, iChat, Quicktime, and other third party applications.

MOAB failed big time showing a Mac OS X exploitable vulnerability as CanSecWest now. This is like a vulnerability in Internet Explorer. What about the remote vulnerabilities of Windows, ie, the OS?

Once again Mac OS X passed the test hands down. If ever, the $10,000 should have gone to the MOAB people, they found more than just one Safari exploitable vulnerability. And Apple patched them in all applications affected few days after.

Posted by: PS | April 21, 2007 2:35 PM

The vulnerability affects Firefox as well as Safari:

http://www.matasano.com/log/806/hot-off-the-matasano-sms-queue-cansec-macbook-challenge-won/

Watch that space for more details as they emerge.

Posted by: Thomas H. Ptacek | April 21, 2007 2:39 PM

This is brilliant!
$10,000 is a nothing compared to what Apple stands to lose if these exploits hit the consumer unpatched! Can you imagine 25 different hacks hitting OS X over the next year? Apple's name right now has much to do with the fact that their system has an unearned reputation of being "bullet-proof". If Apple does not have that, they are lost. iPod-be-damned Windows users will not buy a niche computer that is not safe to operate, regardless of it's other attributes.
That said, I am an Apple fan and am writing this on a patched OS X laptop. I like OS X better than all other OS(s) I have tried.

Posted by: bignumone | April 22, 2007 8:01 AM

@Yuri: Yes.
@Max: No. Original prizes were the computers themselves.
@PS: You're irrelevant. And ignorant. As always.

Posted by: Rick | April 22, 2007 8:32 AM

"there is an exploitable flaw in Safari which can be triggered within a malicious web page"

So Thomas H. Ptacek posts a link to a web page from the place where the guy works who found the flaw.

Posted by: Huh? | April 23, 2007 2:59 PM

Interestingly, about a decade ago a Swedish site ran a "Hack a Mac" contest for a few years running. The challenge was to alter the text of a Mac-run website. No one ever won.

So the classic OS was more secure? :-)

Posted by: Gary | April 23, 2007 10:36 PM

Oh lord. More bad reporting by the Krebster.

The first day of the contest, you had to launch an attack against the MacBooks. After that didn't work, you could then navigate to a web page and use that as an attack vector.

Big difference from Krebster's account....

Posted by: Charlie | April 24, 2007 1:47 PM

FYI...

- http://isc.sans.org/diary.html?storyid=2689
Last Updated: 2007-04-24 21:54:43 UTC ~ "Secunia has posted an advisory today that involves Apple Quicktime Java. According to the advisory this is a highly critical problem that affects versions 3.x, 4.x, 5.x, 6.x and 7.x. The vulnerability is due to an unspecified error within the Java handling in QuickTime. This can be exploited allowing execution of arbitrary code when a user visits a malicious web site using a Java-enabled browser e.g. Safari or Firefox (ed. note: IE, too)..." http://secunia.com/advisories/25011/

> http://www.us-cert.gov/current/#vulnerability_involving_apple_quicktime_and

.

Posted by: J. Warren | April 25, 2007 7:39 AM

I think the biggest thing that should be taken away from this is that they were unable to remotely compromise the machines. While I would not want to take away from the significance of the exploit that was found, this exploit requires some action by the user. Was the attacker able to gain root access to the machine? If not, that is a significant fact that was left out.

Another excellent job reporting ALL of the facts BK.

Posted by: Troy | April 25, 2007 8:09 AM

The comments to this entry are closed.

 
 

©  The Washington Post Company